Until the IRS takes appropriate steps to resolve control deficiencies, taxpayer data will remain "unnecessarily vulnerable" to inappropriate use, says Gregory Wilshusen, GAO director of information security issues and co-author of the audit report, which was published March 28.

The audit uncovered IRS's failure to perform comprehensive tests and evaluations of its information security controls. "This is vitally important because this control helps IRS to identify vulnerabilities that they can take action on," Wilshusen says. "But in comparing our test and the result from our procedures, we found a number of vulnerabilities to IRS systems that IRS did not identify and was unaware of."

Some Signs of Progress

GAO acknowledges in the audit that the IRS has made progress in restricting access privileges for key financial applications and expanding multifactor authentication across the agency, a point IRS Commissioner John Koskinen accentuated in his written response to the report.

"The security and privacy of all taxpayer information is of the utmost importance to us, and the integrity of our financial systems continues to be sound," Koskinen says. The IRS chief says GAO recommendations in the latest audit "provided more specificity" than earlier reports; GAO sent 44 recommendations to the IRS in a private addendum to the audit. "While the increased level of detail has likely resulted in more recommendations, it will allow the IRS to better address cybersecurity risk," Koskinen says.

Auditors note, however, that the tax-collection agency has not fully implemented unique user identification and authentication that complies with a presidential directive.

The GAO report also notes that as the IRS expands the use of encryption, weak cryptography controls persist. GAO says it identified 11 systems that had not been configured to encrypt sensitive user authentication data. Such failures, the auditors say, increased the risk that unauthorized individuals could view and then use the data to gain unwarranted access to its system or sensitive information.

Koskinen concedes IRS information systems are vulnerable to attack. "We have to recognize that this is going to be an ongoing problem," Koskinen testified at a Feb. 10 Senate Financial Services Committee hearing, adding that IRS systems are attacked or pinged 1 million times a day (see Tax Commissioner Expects More IRS Cyberattacks). "The caliber of the enemy we are facing is increasingly more sophisticated and more global. We're dealing with organized crime syndicates all around the world."

Recent IRS Security Issues

Earlier this month, the IRS said it was temporarily deactivating an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud. The IRS said it had discovered and blocked at least 800 cases that appear to involve criminals who were able to obtain legitimate identity protection PINs tied to tax filers' accounts, and it warned that it's facing up to 130,000 fraudulent returns (see IRS Disables Hacked PIN Tool).

Past Weaknesses Not 'Effectively Corrected'

In its new audit, GAO says the IRS claimed it had corrected previously identified control weaknesses in 28 cases, but in nine of those instances, auditors determined they were not "effectively corrected."

GAO, in the audit, also points out weaknesses in IRS password controls. The auditors say the tax agency used passwords on a number of servers that could be easily guessed. On some servers, password expiration dates were not set. None of the 112 mainframe service accounts was configured to require a password change. As a result of these weaknesses, GAO says the IRS had reduced ability to control who was accessing its systems and data.

The audit also reveals that unpatched and outdated software exposed IRS to known vulnerabilities.

Wilshusen says some of the IRS's policies and procedures no longer reflected its current computing environment and systems security plans. "So, this increases the risk that the controls in place may not be appropriate, given the current environment."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.